Data processing method, system, and apparatus, storage medium, and device
Abstract
This application discloses a data processing method, system, and apparatus, a storage medium, and a device, and belongs to the field of database technologies. The method includes receiving, a trigger request; triggering, according to the trigger request, the first cloud encryptor to store a root key seed, an operating policy, a data key seed, and a data key identifier, and triggering the database proxy to store an encryption data dictionary, the operating policy indicating an operation policy of the first cloud encryptor. The method further includes receiving a data processing request from the client; sending first data that the data processing request requests to process and the data key identifier in the encryption data dictionary to the first cloud encryptor. The method further includes implementing the operating policy, processing the first data, and responding to the data processing request by using the second data.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1. A data processing method, applied to a cloud manager of a data processing system, the data processing system further including a cloud encryptor and a database proxy, and the data processing method comprising:
receiving a trigger request from a client; and
in response to receipt of the trigger request, triggering the cloud encryptor to store a root key seed, an operating policy, a data key seed, and a data key identifier, and triggering the database proxy to store an encryption data dictionary,
wherein after receipt from the client of a data processing request requesting to process first data, and in response to determining that the first data matches the encryption data dictionary, the database proxy sends the first data and the data key identifier in the encryption data dictionary to the cloud encryptor,
wherein the cloud encryptor implements the operating policy, processes the first data by using the root key seed and the data key seed corresponding to the data key identifier, and sends second data obtained after the processing to the database proxy,
wherein the database proxy responds to the data processing request by using the second data,
and wherein the cloud encryptor makes a delayed response to a detected behavior indicating illegitimate accessing the root key seed or the data key seed, according to an attack force of the detected behavior, or, destructing the root key seed, the operating policy, the data key seed, or the data key identifier that are stored in the cloud encryptor according to the attack force of the detected behavior.
2. The data processing method of claim 1 , wherein the data processing system further includes a USB key connected to the client, the method further comprising:
sending the data key identifier to the cloud encryptor, wherein the cloud encryptor determines the root key seed and the data key seed according to the data key identifier, encrypts the data key seed by using a root key, and sends the data key identifier and the data key seed as encrypted to the cloud manager, the root key being generated based on the root key seed;
receiving from the cloud encryptor the data key identifier and the data key seed as encrypted;
sending the data key identifier and the data key seed as encrypted to the client, wherein the client writes the data key identifier and the data key seed as encrypted into the USB key for backup storage.
3. The data processing method of claim 1 , wherein the trigger request includes a first trigger request and a second trigger request, the method further comprising:
triggering, according to the first trigger request, the cloud encryptor to store the root key seed and the operating policy; and
triggering, according to the second trigger request, the cloud encryptor to store the data key seed and the data key identifier, and triggering the database proxy to store the encryption data dictionary.
4. The data processing method of claim 3 , wherein the cloud encryptor is a first cloud encryptor, and the data processing system further includes a second cloud encryptor, the method further comprising:
instructing, according to the first trigger request, the client to select a first encryption algorithm, and to send the first encryption algorithm to the second cloud encryptor;
receiving the root key seed sent by the second cloud encryptor, the root key seed being generated by the second cloud encryptor, and the root key seed carrying a flag bit indicating the first encryption algorithm; and
instructing the client to select the operating policy, and to send the root key seed and the operating policy to the first cloud encryptor for storage.
5. The data processing method of claim 3 , further comprising:
obtaining a data dictionary of the database through the database proxy according to the second trigger request, and instructing the client to select a second encryption algorithm and an encryption granularity, the encryption granularity being one of a database, a table, and a field;
sending the second encryption algorithm to the cloud encryptor;
receiving the data key identifier sent from the cloud encryptor, the data key identifier being sent after the cloud encryptor generates the data key identifier and the data key seed, and the data key seed carrying a flag bit indicating the second encryption algorithm; and
writing the data key identifier and the encryption granularity into the encryption data dictionary, and sending the encryption data dictionary to the database proxy for storage.
6. The data processing method of claim 1 , wherein the data processing request includes a data read request or a data write request.
7. A cloud manager of a data processing system, the data processing system further including a cloud encryptor and a database proxy, the cloud manager comprising:
a processor; and a memory coupled to the processor and storing computer-readable program instructions executable by the processor to perform:
receiving a trigger request from a client; and
in response to receipt of the trigger request, triggering the cloud encryptor to store a root key seed, an operating policy, a data key seed, and a data key identifier, and triggering the database proxy to store an encryption data dictionary,
wherein after receipt from the client of a data processing request requesting to process first data, and in response to determining that the first data matches the encryption data dictionary, the database proxy sends the first data and the data key identifier in the encryption data dictionary to the cloud encryptor,
wherein the cloud encryptor implements the operating policy, processes the first data by using the root key seed and the data key seed corresponding to the data key identifier, and sends second data obtained after the processing to the database proxy,
wherein the database proxy responds to the data processing request by using the second data,
and wherein the cloud encryptor makes a delayed response to a detected behavior indicating illegitimate accessing the root key seed or the data key seed, according to an attack force of the detected behavior, or, destructing the root key seed, the operating policy, the data key seed, or the data key identifier that are stored in the cloud encryptor according to the attack force of the detected behavior.
8. The cloud manager of claim 7 , wherein the data processing system further includes a USB key connected to the client, and wherein the computer-readable program instructions are executable by the processor to further perform:
sending the data key identifier to the cloud encryptor, wherein the cloud encryptor determines the root key seed and the data key seed according to the data key identifier, encrypts the data key seed by using a root key, and sends the data key identifier and the data key seed as encrypted to the cloud manager, the root key being generated based on the root key seed;
receiving from the cloud encryptor the data key identifier and the data key seed as encrypted;
sending the data key identifier and the data key seed as encrypted to the client, wherein the client writes the data key identifier and the data key seed as encrypted into the USB key for backup storage.
9. The cloud manager of claim 7 , wherein the trigger request includes a first trigger request and a second trigger request, and wherein the computer-readable program instructions are executable by the processor to further perform:
triggering, according to the first trigger request, the cloud encryptor to store the root key seed and the operating policy; and
triggering, according to the second trigger request, the cloud encryptor to store the data key seed and the data key identifier, and triggering the database proxy to store the encryption data dictionary.
10. The cloud manager of claim 9 , wherein the cloud encryptor is a first cloud encryptor, and the data processing system further includes a second cloud encryptor and wherein the computer-readable program instructions are executable by the processor to further perform:
instructing, according to the first trigger request, the client to select a first encryption algorithm, and to send the first encryption algorithm to the second cloud encryptor;
receiving the root key seed sent by the second cloud encryptor, the root key seed being generated by the second cloud encryptor, and the root key seed carrying a flag bit indicating the first encryption algorithm; and
instructing the client to select the operating policy, and to send the root key seed and the operating policy to the first cloud encryptor for storage.
11. The cloud manager of claim 9 , wherein the computer-readable program instructions are executable by the processor to further perform:
obtaining a data dictionary of the database through the database proxy according to the second trigger request, and instructing the client to select a second encryption algorithm and an encryption granularity, the encryption granularity being one of a database, a table, and a field;
sending the second encryption algorithm to the cloud encryptor;
receiving the data key identifier sent from the cloud encryptor, the data key identifier being sent after the cloud encryptor generates the data key identifier and the data key seed, and the data key seed carrying a flag bit indicating the second encryption algorithm; and
writing the data key identifier and the encryption granularity into the encryption data dictionary, and sending the encryption data dictionary to the database proxy for storage.
12. The cloud manager of claim 7 , wherein the data processing request includes a data read request or a data write request.
13. A non-transitory storage medium storing a computer program, the computer program, when being executed by a cloud manager of a data processing system, causing the cloud manager to perform:
receiving a trigger request from a client, wherein the data processing system further includes a cloud encryptor and a database proxy; and
in response to receipt of the trigger request, triggering the cloud encryptor to store a root key seed, an operating policy, a data key seed, and a data key identifier, and triggering the database proxy to store an encryption data dictionary,
wherein after receipt from the client of a data processing request requesting to process first data, and in response to determining that the first data matches the encryption data dictionary, the database proxy sends the first data and the data key identifier in the encryption data dictionary to the cloud encryptor,
wherein the cloud encryptor implements the operating policy, processes the first data by using the root key seed and the data key seed corresponding to the data key identifier, and sends second data obtained after the processing to the database proxy,
wherein the database proxy responds to the data processing request by using the second data,
and wherein the cloud encryptor makes a delayed response to a detected behavior indicating illegitimate accessing the root key seed or the data key seed, according to an attack force of the detected behavior, or, destructing the root key seed, the operating policy, the data key seed, or the data key identifier that are stored in the cloud encryptor according to the attack force of the detected behavior.
14. The storage medium of claim 13 , wherein the data processing system further includes a USB key connected to the client, and the computer program further cause the processor to perform:
sending the data key identifier to the cloud encryptor, wherein the cloud encryptor determines the root key seed and the data key seed according to the data key identifier, encrypts the data key seed by using a root key, and sends the data key identifier and the data key seed as encrypted to the cloud manager, the root key being generated based on the root key seed;
receiving from the cloud encryptor the data key identifier and the data key seed as encrypted;
sending the data key identifier and the data key seed as encrypted to the client, wherein the client writes the data key identifier and the data key seed as encrypted into the USB key for backup storage.
15. The storage medium of claim 13 , wherein the trigger request includes a first trigger request and a second trigger request, and the computer program further cause the processor to perform:
triggering, according to the first trigger request, the cloud encryptor to store the root key seed and the operating policy; and
triggering, according to the second trigger request, the cloud encryptor to store the data key seed and the data key identifier, and triggering the database proxy to store the encryption data dictionary.
16. The storage medium of claim 15 , wherein the cloud encryptor is a first cloud encryptor, and the data processing system further includes a second cloud encryptor, the computer program further cause the processor to perform:
instructing, according to the first trigger request, the client to select a first encryption algorithm, and to send the first encryption algorithm to the second cloud encryptor;
receiving the root key seed sent by the second cloud encryptor, the root key seed being generated by the second cloud encryptor, and the root key seed carrying a flag bit indicating the first encryption algorithm; and
instructing the client to select the operating policy, and to send the root key seed and the operating policy to the first cloud encryptor for storage.
17. The storage medium of claim 15 , wherein the computer program further cause the processor to perform:
obtaining a data dictionary of the database through the database proxy according to the second trigger request, and instructing the client to select a second encryption algorithm and an encryption granularity, the encryption granularity being one of a database, a table, and a field;
sending the second encryption algorithm to the cloud encryptor;
receiving the data key identifier sent from the cloud encryptor, the data key identifier being sent after the cloud encryptor generates the data key identifier and the data key seed, and the data key seed carrying a flag bit indicating the second encryption algorithm; and
writing the data key identifier and the encryption granularity into the encryption data dictionary, and sending the encryption data dictionary to the database proxy for storage.
18. The storage medium of claim 13 , wherein the data processing request includes a data read request or a data write request.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.